deloitte-nl-risk-cyber-value-at-Risk-in-the-Netherlands

Cyber Value at Risk
in the Netherlands

10 billion value lost through
cyber risk in The Netherlands
Insights drive performance Everywhere analyticswww.stateofthestate.nl

Preface
In the year 1609, during a period of extraordinary economic growth
from naval trade that the Dutch refer to as “the Golden Age”, the
Dutch legal scholar Hugo the Groot introduced the principle of
Mare Liberum. Mare Liberum (Latin for “open sea”) is the term used
in international law to designate the principle of free trade at sea.
According to this principle oceans and seas belong to everyone and
all countries should have free access to the sea for travel and trade.
The principle was hotly contested over the next few centuries, but
it eventually led to a set of rules that, when properly enforced, have
made naval trading into one of the worldwide drivers of economic
growth.
This principle also applies to the communication network that is
the source of growth in the information age: Internet Liberum.
However, similar to all the different traders and nations sailing the
seas during the Golden Age, we will have to fight for a safe and free
cyberspace today. Certain individuals abuse the freedom and open-
ness of the Internet by hacking into systems to steal and disrupt.
The same things that make the Internet so valuable also make it
vulnerable.
With great freedom comes great responsibility. To grow, you need
to create as much safe space as possible. All organizations that
navigate cyberspace need to take their responsibility and join for-
ces in the battle against evil through a distributed network where
everything is connected and nobody is in charge. If we are vigilant
and respond effectively to attacks, we can keep the pirates at bay. If
we organize our defenses, we can navigate, create and do business
in a safe and open cyberspace.
In this spirit, the World Economic Forum launched its initiative
“Risk & Responsibility in a Hyper-connected World” in 2011. One of
the key initiatives to enable cooperation and information sharing
between organizations was to create a shared cyber risk model.
Together with the Forum, and with the input of hundreds of inter-
national experts, business and policy leaders in cyber risk manage-
ment, this eventually led to our report on Cyber Risk Quantification
and the introduction of the Cyber Value at Risk concept early 2015.
We have transformed the concepts developed with the Forum into
an operational model to quantify cyber risk. As a first application
of this model, our team has determined the quantitative impact
of cyber risk on organizations in the Dutch sectors with largest
risk exposure. This report presents the results of this endeavor.
It provides insights in cyber risk in the Netherlands and enables
Dutch organizations to benchmark their exposure against industry
averages.
We believe that organizations should continue to strengthen their
Cyber Risk Management strategy, policies and controls, both in
terms of prevention as well as detection and response. We encou-
rage Dutch organizations to use this model to quantify their cyber
risks and share, discuss and interpret the results. We hope this
leads to more effective cyber security investments as well as colla-
boration on improving the model. In the spirit of tending a shared
space, we cordially invite you to join our community and further de-
velop this model with us. We look forward to become your partner
to ensure your portfolio of security investments is balanced and
enables your organization to innovate with confidence.
We hope you enjoy reading this report.
Jacques Buith
Risk Services Leader - The Netherlands

Executive Summary
Information technology enables economic
growth and creates value for organizations in all
sectors. As technologies develop exponentially,
it is a strategic imperative for your organizati-
on to accelerate its innovation by making your
business technology-enabled and informati-
on-based. The increasing amount of data this
generates creates value and in turn empowers
employees and customers through easy-to-use
information technology.
With this strategic value, your organization
increasingly and unavoidably takes on risk of
information abuse: confidential information may
end up in the wrong hands, your ICT systems
may get disrupted or, if certain information gets
changed, you may lose control over your assets
or product quality. This information abuse could
lead to value loss for your organization, this is
cyber risk. Such value losses would constitute
either loss of intangible value (like market share
or product quality) or loss of tangible value (like
stolen cash or additional expenses through
claims, fines and recovery).
Your organization needs to responsibly balan-
ce the strategic value of innovation with the
unavoidable cyber risk this brings. This requires
insight into the potential value loss and for this
reason we have developed the Cyber Value at
Risk (VaR) model. It is based on the Value-at-Risk
concept widely used in managing investment
risk. In essence, Cyber VaR estimates how much
value might be lost in a “worst case” scenario,
i.e. when it exceeds a typical or expected loss
through cyber risk. This is important, because
the Cyber VaR can be much higher than the
expected value loss, thus identifying the level of
uncertainty.
The Cyber VaR model is a work in progress. We
encourage you to apply this method to your
organization and compare your results with the
outcomes presented in this report. We are keen
to exchange the resulting insights and experien-
ce as this will lead to further improvements of
the model benefiting everyone.
Overall, our major findings are as follows:
• For the Dutch economy as a whole, the expec-
ted value loss is about €10 billion annually, or
1.5% of GDP, in line with earlier studies. This is
apparently the price we pay for our transition
to a more digital and on-line economy, which
also brings tremendous benefits to society.
• For most large Dutch organizations, the
uncertainty from cyber risk is significant, but
not critical. The potential value loss in a “worst
case” scenario is typically 8 times higher than
the expected value loss.
• Our study finds that the sectors with the hig-
hest cyber risk are Technology Electronics,
Defense Aerospace, Public, and Banking
(see page 13).
Our study also shows that a significant part of
the value loss from cyber risk goes undetected
or unreported. Using the Cyber VaR model, we
estimated that information abuse leading to
disruptions creates almost half of the total value
loss (€4.6bn) for the Dutch economy. Another
example of value loss that is hard to detect
and little reported concerns reduced control
over assets and products. This amounts to an
expected loss of €1.5bn for the Dutch economy,
about half of which occurs in the Public Sector.
This is associated with pollution from mass (or
“commodity”) crime activity as well as abuse for
cyber espionage and concerns integrity of our
communications as well as control over public
assets such as roads, bridges, and water-locks.

Cyber espionage also leads to the loss of
Intellectual Property (€1.5bn) and Strategic
Information (€1bn). This is value loss that is hard
to detect and underreported1
. Cases reported in
the media are the tip of the iceberg. This leads
to value loss in particular for the Technology
Electronics and Defense Aerospace sectors.
For both these sectors, the Cyber VaR is about
17% of their income, a significant amount and
much higher than other sectors. For the Defen-
se Aerospace sector, this is partly caused by
the fact that organizations in this sector are rela-
tively small compared to other sectors2
. Such
abuse becoming public could be devastating for
an organization, as confidentiality is an impera-
tive in this sector.
Two other sectors bear high cyber risk mainly
due to potential abuse of Third-party or Priva-
cy-related Information. For the Business Pro-
fessional Services sector, the Cyber VaR is about
5% of income, which is 5 times higher than their
expected value loss. For the Banking sector,
Cyber VaR is about 7% of their income, which
is 18 times larger than their expected value
loss, which is a significant increase versus other
sectors. In the event that a significant breach
becomes public, organizations in these sectors,
that have trusted and regulated relations with
their clients, may effectively lose their license to
operate.
Most attackers behind value loss through
information abuse are well organized. They
share information and attack methods through
highly specialized criminal networks. Impro-
ving Cyber Resilience in the Netherlands also
requires being organized through knowledge
sharing and specialized cyber security services.
All sectors would benefit from such cooperation
to decrease cyber risks. This starts by properly
investigating incidents and sharing information
about abuse so we all learn from the problems
that individual organizations encounter. Since
we are all vulnerable, it is a sign of strength to
share lessons learned on how we resolved the-
se vulnerabilities.
We see the positive trend that organizations are
preparing for a possible breach and understand
that what limits the worst case value loss is the
quality of how they respond to such a breach.
The next step is to further improve collaboration
between organizations in cyber defense.
In summary, we encourage organizations to:
1. Carefully assess where and how they may
lose value in case of information abuse, also
bearing in mind the potential longer term or
intangible value loss;
2. Take responsibility for your part in the collec-
tive by responsibly sharing insights into cyber
risk management;
3. Consciously make cyber risk transparent and
quantify it - to take risk and unlock more value
from innovation -by using the Cyber VaR model.
If you believe your organization can benefit from
applying this quantitative lens to cyber security
investments, we cordially invite you to join our
community and further develop this model
together.
1 See for instance https://www.aivd.nl/onderwerpen/cyberdreiging/inhoud/
economische-cyberspionage
2 Smaller organizations tend to have smaller amounts of (valuable) informati-
on. Therefore, attackers can more effectively (i.e. quickly) locate and abuse
the information they target. This effect should also be held in mind when
applying our results to smaller organizations in other sectors.

Introduction 8
The Dutch cyber landscape 9
Attribution of impact 13
Attribution per information asset 14
Sectors with highest cyber risk 15
Cyber VaR per Threat profile and sector 16
Interpretation guide 18
Oil, Gas Chemicals 19
Public Sector 20
Wholesale Retail 21
Asset Management Pensions 22
Insurance 23
Consumer Goods 24
Banking 25
Telecom 26
Technology Electronics 27
Business Professional Services 28
Transportation 29
Media 30
Utilities 31
Defense Aerospace 32
Methodology and approach 35
Contact 40
About the authors 41
Selection of literature 42
Content

Introduction
Entrepreneurship implies taking risk. Reaping
the benefits of digital technologies is no dif-
ferent. The automation, scaling, and now also
cognitive, benefits of technology enable new
ways of value creation at a rate seemingly unpa-
ralleled in history. However, the same applies to
the “business models” of criminals, spy agencies,
terrorists and activists. Understanding the size
and nature of this threat to your organization
is key to unlocking the potential value of digital
technologies.
Motivation
Our mission is to make a positive, meaningful
impact on society. As accountant and advisor,
assessing and quantifying risk is in our DNA.
By providing a comprehensive quantitative
overview of the magnitude and nature of the
economic consequences of cyber risk for Dutch
organizations, we provide the information that
helps organizations to make rational decisions
related to cyber security investments. It also
enables organizations to focus their efforts whe-
re they have the most impact. In this way, we
believe we are taking an important step towards
making cyberspace safe.
New vulnerabilities and cyber incidents appear
in the media every day. However, the magnitude
of cyber risks is often abstract and difficult to
grasp. How much should be invested in cyber
security? Does a technology company need to
be as concerned as a telecommunication pro-
vider? What quantitative data provides a basis
to select and prioritize investments in cyber risk
management? The work Deloitte carried out
with the World Economic Forum leading to the
2015 report “Towards the Quantification of Cy-
ber Threats” introduced the “Cyber Value at Risk”
concept. This report is a first for its application.
What is cyber risk?
For the purpose of this report, the term cybers-
pace means the collective of connected techno-
logies. Cyber risk is defined as “the risk that an
adversary abuses corporate information assets,
with direct or indirect financial consequences”.
Our scope does not include human error, “ro-
gue insiders” (i.e. malicious insiders operating in-
dependently of outsiders) or “natural disasters”
such as the flooding of a datacenter.
Usage of this report
We have performed our analysis for the largest
sectors in The Netherlands using a specially de-
veloped methodology based on common practi-
ces in financial risk management, our knowledge
of each sector, as well as our extensive case
work in advising large organizations about the
management of cyber risk.
The normalized risk levels for each sector, as
reported on the following pages, allow organiza-
tions to estimate their own level of cyber risk for
each information asset. In using this report, it is
important to be aware of its limitations. Results
represent the largest organizations within each
sector and are less accurate for smaller organi-
zations, as well as somewhat atypical organizati-
ons within their sector (e.g. a purely online shop
in retail). Results become more accurate when
assumptions are tailored to your organization.
Another important point is that we have analy-
zed the cyber risk for stand-alone organizations.
Spillover effects from one firm to another across
value chains have not been taken into account.
In other words, we have not included correla-
tion or diversification effects caused through a
shared dependence on a critical infrastructure,
for example. We aspire to include this perspec-
tive in future work.
8

The Dutch cyber landscape
Dutch sectors and organizations
In our analysis, taking data from the Dutch Central
Bureau for Statistics (CBS) as a starting point, we
have chosen the 14 largest sectors of the Dutch
economy in terms of gross income as well as
those with the largest exposure to cyber risk.
The Financial Services sector, often reported as
a single sector, contains organizations with very
different business models and thus different
cyber risk exposures. For this reason, we have
split this sector into three: Insurance, Banking,
and Asset Management combined with Pensions.
For the Public Sector, we picked a combination
of Healthcare, Education, and Central Gover-
nment excluding Defense, which is included
in the Defense Aerospace sector. We have
left these three sub-sectors separate for the
purpose of the analysis. Where relevant, specific
results per sub-sector can be found on the Pu-
blic Sector results page.
Not covered in this report
Sectors that in our experience have a limited
exposure to cyber risk or that are rather small,
such as Leisure, Real-estate, and Construction,
have not been extensively analyzed nor included
in this report. Other relevant (sub-)sectors not
covered in this report are Local Government
and Small Medium Enterprises (SME). We
of course recognize that other values outside
economic impact, such as the integrity of legal
and democratic systems and public safety, are
relevant for some sectors, especially for the Pu-
blic Sector. However, these are also not in scope
for our analysis.
Sector Gross income (€bn)3
Percentage of GDP(%)
Oil, Gas Chemicals 720 108%
Public Sector 389 58%
Wholesale Retail 245 37%
Asset Management Pensions 227 34%
Insurance 141 21%
Consumer Goods 130 19%
Banking 99 15%
Telecom 65 10%
Technology Electronics 42 6%
Business Professional Services 36 5%
Transportation 33 5%
Media 27 4%
Utilities 25 4%
Defense Aerospace4
20 2%
Covered in this report 2,199 328%
3 According to annual statements of largest organizations within each sector.
4 Estimated number including Public Sector defense spending.
9

The Dutch state of cyber security
On average, the cyber security of organizations
in The Netherlands is relatively mature when
compared to countries with a similar threat
profile5
. Security is encoded in various laws and
regulations such as the “Wet Computercrimina-
liteit” and the “Wet Bescherming Persoonsgege-
vens”. Dutch policies are contained in the Natio-
nal Cyber Security Strategy as well as a Defense
Cyber Strategy, which are both implemented by
the National Cyber Security Center (NCSC). The
Netherlands has many international partner-
ships with European and global organizations.
It is hard to accurately determine the cyber
security of Dutch organizations based on public
data. Standardized metrics for performance
are lacking and not reported on, however,
useful metrics can be found through extensive
literature analysis. The annual Cyber Security
Assessment Netherlands (CSAN) by the NCSC
also provides useful figures. From our literature
study of over 250 scientific and professional
publications, we have inferred the maturity for
each sector, which we have validated with our
Deloitte sector experts as well as with our team
of around 180 security experts with hands-on
experience.
From this analysis, a couple of observations
stand out. First of all, cyber security maturity
levels tend to be higher for larger and heavily
regulated organizations. This effect is further
amplified when the organization in question is
multinational. Another important factor is expe-
rience with cyber threats. As a result we observe
that the Banking sector, the Oil, Gas Chemi-
cals sector, key components of Central Govern-
ment as well as the Defense Aerospace sector
are relatively mature. On the other hand, most
Small or Medium Enterprises (SMEs) as well as
organizations in the Education, Healthcare and
Utilities sectors have lower than average matu-
rity levels.
Organizations may influence each other in their
cyber maturity. For instance, all organizations
benefit from the relatively mature state of cyber
security of payments, leading to better Liquidity
Integrity for all organizations. This explains the
relatively low impact on Liquidity Integrity for all
organizations, despite high threat levels.
We distinguish four main layers of cyber security
controls: (I) prevention from entry (vulnerability
management, firewalls, etc.), (II) detection and
response (security monitoring and analytics,
incident response, etc.), (III) prevention of abuse
(e.g. encryption, data loss prevention, identity
and access management), and finally, (IV) reco-
very of losses (business continuity management,
crisis management, communications, legal, etc.).
Maturity in all four layers is required to obtain
optimal security. With the help of our quantifica-
tion methodology, optimizing cyber security for
individual organizations is also in reach.
The maturity level of cyber capabilities for an
organization is of key importance to seize the
opportunities of cyberspace while limiting the
impact of potential cyber incidents. Organizati-
ons with a higher level maturity take risks with
more confidence and are better able to innova-
te, or win and retain the trust of their custo-
mers. The efforts required for realizing a certain
maturity level do not exactly scale with the size
of the organization.
The cyber threat landscape
Overall, threat levels are apparent from cyber
threat intelligence reports. Furthermore, we
distinguish between threat profiles only to the
extent that they are attracted to other informati-
on assets or utilize different tactics.
Based on threat intelligence reports as well
as our own research, we make a distinction
between fast and slow attackers. The rationale
behind this is that sophisticated attackers often
make use of highly specialized methods combin-
ed with an incentive to go undetected for as long
as possible, while slowly accumulating abuse.
Less sophisticated attackers on the other hand
take advantage of known exploits and have
an incentive to act as fast as possible to take
advantage of the delay in the defender’s reac-
tion. These attackers are by nature also more
opportunistic, moving on to the next target with
the same method until they find a vulnerable
defender.
Another important characteristic that sets
threat profiles apart is the type of information
assets that are targeted. Some attackers focus
on strategically important information assets,
while others aim at disruption of Operational
Continuity. Based on these insights, we defined
four threat profiles displayed in the table on the
next page.
5 Dutch Global Cybersecurity Index score 0.6765, ranked
6th according to ITU [54] and endorsed by the World
Economic Forum [8]. Also see: www2.deloitte.com/nl/
nl/pages/risk/articles/eu-voorzitter-loopt-op-dun-ijs-als-
cyber-security-gidsland.html.
10

Threat profile Sophistication Abuse rate Main targets
Espionage High Low Strategic Information, Intellectual Property
Advanced Crime High Low Liquidity Integrity, Strategic Information
Mass Crime Low High Liquidity Integrity, Privacy-related Information
Disturbance Low High Operational Continuity
It is no surprise that highly sophisticated threat
profiles constitute the most significant part of
the reported security incidents (CSAN). We also
see a significant impact from these groups in
our report.
With all threat profiles, we assume they will also
target all other information assets, only signi-
ficantly less than their main target. Attribution
of the threat profiles to the individual sectors is
proportional to the size of the information asset.
The only exception to this is the Espionage
profile; this profile may value some information
assets far higher than reflected by the value
impact to the organization. The perspective of
Espionage is strategic with a big incentive for
stealth.
Advanced Crime refers to highly organized and
sophisticated groups with primarily a financial
motive, preferring a large, well-prepared heist,
while being opportunistic about other potential-
ly valuable information assets. Part of this profile
is assumed to target Strategic Information for
the purpose of insider trading.
Mass Crime on the other hand has a low level
of sophistication and thus generally utilizes a
relatively standard set of tools that they deploy
very widely to identify the “low hanging fruit”
across many organizations. This includes use of
malware, phishing, ransomware and others. As
a side-effect from the many failed attempts by
Mass Crime, loss of Operational Continuity and
Control Integrity may occur.
Politically or ideologically motivated actors are
classified under the Disturbance profile. Their
main intent is to disturb operations of an orga-
nization and thus critical systems are targeted
to compromise availability or integrity. In some
cases, an actor in this profile is found to publish
confidential information with the same intent
to disturb an organization’s operation (possibly
obtained by accident).
11

Value impact from abuse
Impact on economic value as a consequence of
cyber threats follows from abuse of information
assets. These information assets are a some-
what abstract notion, since information may be
in multiple places at once, in transit as well as
stationary. Information assets are different bet-
ween organizations and even more so between
sectors, so generalized categories for informa-
tion assets are required to enable comparative
analysis.
We have defined a list of seven information
assets that relate to all potential forms of abuse,
listed in the table to the right.
Information asset Threat description Main value impact
Operational Continuity Availability of ICT systems related to operations, including income Income
Control Integrity Control over non-cash assets or customer products (unwittingly) lost Assets
Intellectual Property Competitive advantage from investment into IP (partially) lost Equity
Strategic Information Loss of company confidential information may lead to (MA) opportunity loss and impair growth Growth
Third Party Information Leakage of confidential information on third parties may lead to loss of clients Market share
Privacy-related Information Confidential information on persons (including employees) may lead to loss of customers and talent Market share
Liquidity Integrity Financial transactions that are initiated or altered by cyber fraudsters may lead to direct financial losses Liquidity
In estimating the value impact in case an in-
formation asset is abused, we took two factors
into account: direct value impact as listed in
the table as well as losses through claims and
fines. The type of claims and fines vary between
the information assets and the jurisdiction the
organization is exposed to.
Note that it may take time before the value
impact materializes. In case of Operational Con-
tinuity or Liquidity Integrity, losses are immedia-
te, but with other information assets, it may take
time before the loss gets uncovered and even
then, it may still go unreported. In case of Third
Party or Privacy-related Information assets, this
may limit the value impact, but for the other
information assets value is lost regardless.
The base value of the information asset (i.e.
the business case leading to its existence) as
well as indirect effects have not been included.
This concerns reputational damage, impact on
societal values, personal lives or impact on third
parties such as with critical infrastructure. We
recognize these effects are important, and aspi-
re to perform further research to include these
factors in the future.
Based on threat levels related to cyber capabi-
lities maturity per organization, we determined
the value impact for each information asset.
From this impact, we also determined the risk
on solvency and creditworthiness of organizati-
ons. For this purpose, we assess the Cyber VaR
against three different criteria:
• Complete loss of equity leading to insolvency
• Equity over debt ratio worsens to 15% below
sector average, impairing creditworthiness
• Losses exceeding three times annual profits,
also impairing creditworthiness
12

Value loss by sector
The absolute expected impact from cyber risk is
not equally distributed over the sectors.
The pie-chart in the top-left corner displays the
expected impact attributed per sector. This is
the graph we use as reference for the results
per sector.
In the top-right corner, a pie-chart displays the
Cyber VaR per sector. Cyber VaR is a measure
for the losses that occur with a low probability.
Interdependencies between organizations have
not been taken into account.
Sectors represented by less than 5% have been
accumulated into the “Other” category.
Value loss relative to income
Cyber risk affects certain sectors more strongly
than others. This can be seen from the value
loss per income (in parts per thousand or ‰).
In the bottom-left corner, the pie-chart displays
the expected impact per income, indicating
which sectors experience the high expected
cyber risk.
In the bottom-right corner, the pie-chart dis-
plays the Cyber VaR per income for each sector.
Sectors represented by less than 5% have been
accumulated into the “Other” category.
Cyber VaRExpected Impact
Attribution of impact
Oil, Gas Chemicals
Public Sector
Wholesale Retail
Asset Management Pensions
Insurance
Consumer Goods
Banking
Telecom
Technology Electronics
Business Professional Services
Transportation
Media
Utilities
Defense Aerospace1.4
.2050
.3200
.4050
1.1
.3450
.1550
.04
.4150
21.6
24.6
6.5
1.1
3.4
.6100
6.5
1.7
7.1
1.8
.7700
.3150
1.2 3.3
3%
9%
5%
1%
2%
3%
4%
5%
25%
9%
5%
2%
7%
20%
4%
13%
4%
1%
3%
1%
9%
4%
23%
7%
3%
2%
6%
22%
2.4
2.4
.3600
.3250
0.2
€bn
% of total % of total
€bn
13

1
CyberVaR
per
Information
Asset
Other
Oil, Gas Chemicals
Public Sector
Wholesale Retail
Insurance
Banking
6
6
9 10
13
18
38
Other
Public Sector
Defense Aerospace
19
7
7
67
Other
Oil, Gas Chemicals
Public Sector
Defense Aerospace
2
22
38
38
Other
Oil, Gas Chemicals
Public Sector
Wholesale Retail
13 12
47
27
Other
Oil, Gas Chemicals
Public Sector
Defense Aerospace
4
17
18
56
6
10
18
12
18
41
Strategic Information
Control Integrity
Intellectual Property
Third Party Privacy-related Information
Operational Continuity
Liquidity Integrity
% % %%%
The contribution of each information asset to
the combined Cyber VaR over all organizations
is depicted in the donut-chart in the middle of
the page. To see the sectors that most contribu-
te to the Cyber VaR for each Information Asset,
we displayed the attribution to the sectors in
the surrounding pie-charts (largest information
assets only).
Attribution per information asset
14

For a worst case event, there are two types of risk:
1. Cyber VaR per income is high(this is given by
the Cyber VaR level,y-axis in the bubble graph);
2. Cyber VaR is far higher than the expected
value loss (this is given by the Cyber VaR
multiplier, x-axis in the bubble graph).
In the bubble graph on the right, we have
plotted all the sectors against these two types
of risk. The size of the bubble indicates the total
amount of income for each sector.
What we observe from the bubble graph is
that sectors with the highest cyber risk are the
Technology Electronics, Defense Aerospace,
Public, and Banking sectors. Analysis shows
that this is mainly because these sectors attract
more Threat Profiles through their particularly
valuable information assets.
Sectors with highest cyber risk
0
20
40
60
80
100
120
140
160
180
0 2 4 6 8 10 12 14 16 18 20
ValueatRisklevel(‰valueimpactpergrossincome)
Cyber VaR multiplier (Value at Risk per Expected Impact)
Increasing cyber risk
Oil, Gas Chemicals
Public Sector
Wholesale Retail
Insurance
Consumer Goods
Banking
Telecom
Transportation
Media
Utilities
Defense Aerospace
A
B
C
D
E
F
G
H
I
J
K
L
M
N
A
E
B
G
F
L
M
J
C
H
D
K
N
I
15

Cyber VaR per Threat profile and sector
THREAT LEVEL PER THREAT PROFILE
Espionage
Advanced crime
Mass crime
Disturbance
36
36
14
14
Other
Public Sector
Banking
Business Professional services
30
28
18
Other
Oil, Gas Chemicals
Utilities
24
36
Other
Public Sector
64
26
46
15
Other
Oil, Gas Chemicals
Public Sector
13
% %
% %
16

INDUSTRY
GROSS INCOME € XXX BILLION (X%)
EXPECTED VALUE LOSS € X.X BILLION (X%)
CYBER VAR € X.X BILLION (X%)
SECTOR IMPACT
X%
Interpretation guide
Cyber threat
Cyber resilience
Insolvency risk
This table provides a quantitative summary of the exposure per Information Asset.
By multiplying the exposure with gross income an organisation specific exposure
can be obtained. The Cyber Var multiplyer at the bottom is the ratio between the
Cyber VaR and Expected impact.
This area contains the most important considerations and observations that follow
from our analysis of the results.
Espionage
Advanced crime
Mass crime
Disturbance
INFORMATION ASSET IMPACT
X%
Operational continuity
X%
Control integrity
X%
Intellectual property
X%
Strategic information
X%
Third party information
X%
Privacy-related information
X%
Liquidity integrity
THREAT OVERVIEW
This text contains the main observations for each sector.
This overview provides a graphical
summary of cyber risk.
Impact for the total sector
% is of all sectors.
This overview identifies the net
threat level per threat profile
relative to other sectors.
18

OIL, GAS CHEMICALS
GROSS INCOME € 720 BILLION (33%)
EXPECTED VALUE LOSS € 2.4 BILLION (24%)
CYBER VAR € 21.6 BILLION (27%)
SECTOR IMPACT
24%
Oil, Gas Chemicals is a large part of the Dutch economy and has relatively high
maturity. Companies within the sector rely heavily on their critical systems which
causes Operational Continuity to be one of their main concerns.
Oil, Gas Chemicals
Cyber threat
Cyber resilience
Insolvency risk
Operational continuity 2.3 21.4
Control integrity 0.1 0.7
Intellectual property 0.4 2.3
Strategic information 0.5 4.3
Third party information 0.1 0.7
Privacy-related information 0.0 0.6
Liquidity integrity 0.0 0.0
Total 3.3 30.0
Cyber VaR multiplier (expected : cybervar =) 9
INFORMATION ASSETS EXPECTED VALUE LOSS
(‰)
CYBER VAR
(‰)
SECTOR CONSIDERATIONS AND OBSERVATIONS
• The cyber security for this sector is mature because threat levels have already been high for quite some time.
• Operational Continuity and Strategic Information lead to approximately 85% of the total risk within this sector.
• Disruption of Operational Continuity can have an especially high impact if production facilities are concerned.
• The value of Strategic Information for this sector is quite high given the sensitive and conﬁdential knowledge of natural
resource locations.
Value exposure (in € mn per € bn revenue)
Espionage
Advanced crime
Mass crime
Disturbance
71%
2%
Control integrity
8%
14%
2%
2%
0%
Liquidity integrity
THREAT OVERVIEW
19

PUBLIC SECTOR
SECTOR IMPACT
24%
The Public Sector is attractive for all threat profiles. It therefore requires eleva-
ted cyber security capabilities. Lower cyber security levels for Education and
Healthcare lead to significant risks for Intellectual Property and Privacy-related
Information, respectively.
Public Sector
Cyber threat
Cyber resilience
Insolvency risk
Total 6.1 63.2
(‰)
CYBER VAR
(‰)
• Loss of Operational Continuity such as with the tax office or social benefits agencies would have a significant impact.
• Lack of Control Integrity of public infrastructure such as bridges, tunnels and water works would have a large impact.
• Given that the Public Sector processes vast amounts of Privacy-related Information, the resulting value impact is still relatively limited.
• The Public Sector is privy to large amounts of commercially sensitive Strategic Information leading to a significant Cyber VaR.
• Most of the threat in Intellectual Property stems from Education.
• Over half of the threat in Privacy-related Information stems from Healthcare.
25%
28%
Control integrity
34%
8%
0%
6%
0%
Liquidity integrity
THREAT OVERVIEW
Espionage
Advanced crime
Mass crime
Disturbance
20

WHOLESALE RETAIL
SECTOR IMPACT
14%
For Wholesale Retail, the largest risk is interruption of business operations,
followed by customer churn for some companies in case of a privacy breach.
Maintaining integrity of operations is of utmost importance.
Wholesale Retail
Cyber threat
Cyber resilience
Insolvency risk
Total 5.5 26.5
(‰)
CYBER VAR
(‰)
• Operational Continuity has the highest risk exposure.
• The risk on Operational Continuity depends on the length of the supply chain and will vary between companies.
• The Wholesale sector has little exposure from personal data, dampening the overall impact on
Privacy-related Information for this sector.
Espionage
Advanced crime
Mass crime
Disturbance
67%
3%
Control integrity
0%
0%
0%
30%
0%
Liquidity integrity
THREAT OVERVIEW
21

ASSET MANAGEMENT PENSIONS
SECTOR IMPACT
2%
The Asset Management Pensions sector is primarily exposed to Operational
Continuity and Privacy-related Information as it forms a possible target for cyber
Disturbance and Mass Crime.
Cyber threat
Cyber resilience
Insolvency risk
Total 0.9 5.0
(‰)
CYBER VAR
(‰)
• The value exposure for pension funds is relatively small, but given the large size of the Dutch pension sector,
the absolute impact is still signiﬁcant.
• Liquidity Integrity impact is low, given high risk awareness of personnel and sound risk controls,
so fraudulent transactions should stand out quickly.
• Operational Continuity primarily concerns Asset Management, while Privacy-related Information
primarily concerns Pensions.
Espionage
Advanced crime
Mass crime
Disturbance
21%
19%
Control integrity
0%
0%
8%
52%
0%
Liquidity integrity
THREAT OVERVIEW
22

INSURANCE
SECTOR IMPACT
3%
Insurance
Health insurance firms will primarily be targeted for their Privacy-related Infor-
mation. Operational Continuity of the asset and liability management, required
to keep financial exposure low, is also under threat.
Cyber threat
Cyber resilience
Insolvency risk
Total 2.3 24.1
(‰)
CYBER VAR
(‰)
• A breach of Privacy-related Information can have a high impact, especially for large health insurance firms.
• Operational Continuity could harm life insurance firms in particular, given their large exposure on financial markets.
• Given the stringent demands from Solvency II, any impact from a cyber breach will have impact on an
insurance firm’s solvency position.
Espionage
Advanced crime
Mass crime
Disturbance
19%
2%
Control integrity
0%
1%
10%
68%
0%
Liquidity integrity
THREAT OVERVIEW
23

CONSUMER GOODS
SECTOR IMPACT
4%
The Consumer Goods sector produces perishable goods and depends heavily
on spot market trading. Therefore, disruption of Operational Continuity provides
the main risk. Incident response focusing on swift process restauration is of vital
importance.
Consumer goods
Cyber threat
Cyber resilience
Insolvency risk
Total 3.1 4.7
(‰)
CYBER VAR
(‰)
• Control Integrity is a relatively exposed asset because the scale of operation demands a high amount
of process automation.
• Cyber-attacks on Strategic Information may have a substantial impact due to the high level of competition in the sector.
• Damage related to Privacy-related Information is caused primarily by claims of employees in case of HR leaks. Third Party
Information is not considered a liability since this mostly constitutes supplier agreements.
Espionage
Advanced crime
Mass crime
Disturbance
26%
31%
Control integrity
18%
6%
1%
17%
0%
Liquidity integrity
THREAT OVERVIEW
24

BANKING
SECTOR IMPACT
4%
The Banking sector has a relatively high maturity, which is unsurprising as its
Liquidity Integrity is an attractive target. Furthermore, Operational Continuity
could become a more critical factor, especially if it persists for a longer period.
Banking
Cyber threat
Cyber resilience
Insolvency risk
Total 3.6 65.7
(‰)
CYBER VAR
(‰)
• Liquidity Integrity still plays a big role for the Cyber VaR in spite of the high level of cyber security.
• A breach of Third party Information would have signiﬁcant impact, given that the license to operate as a
commercial bank could be impaired. For Privacy-related Information this is similar.
• The impact on solvency in case of a signiﬁcant cyber event is potentially quite high due to the
stringent capital regulations and oversight.
Espionage
Advanced crime
Mass crime
Disturbance
4%
2%
Control integrity
0%
1%
72%
21%
8%
Liquidity integrity
THREAT OVERVIEW
25

TELECOM
SECTOR IMPACT
3%
The core business of the Telecom sector is to provide undisturbed services to
their customers. Therefore Operational Continuity and Control Integrity pose
the largest risk. Mitigation eﬀorts could include mutual services agreements with
other operators.
Telecom
Cyber threat
Cyber resilience
Insolvency risk
Total 4.9 26.2
Cyber VaR multiplier (expected : cybervar =) 5.3
(‰)
CYBER VAR
(‰)
• Operational continuity and Control Integrity generate a lot of value for this industry, which includes internet,
telephony and cloud services.
• Cyber VaR for Control Integrity is far higher than the expected impact given its fundamental importance and value for
this sector (the Belgacom hack is an excellent example, see for instance http://tinyurl.com/z397oyf).
• Impact on Privacy-related Information would primarily be caused by loss of customer (meta-)data, leading to increased
customer churn.
Espionage
Advanced crime
Mass crime
Disturbance
36%
41%
Control integrity
8%
0%
3%
12%
0%
Liquidity integrity
THREAT OVERVIEW
26

TECHNOLOGY ELECTRONICS
SECTOR IMPACT
11%
Technology Electronics is primarily exposed through its sizable RD invest-
ments. Loss of Operational Continuity would amount to manufacturing interrup-
tions, while products require sound Control Integrity to maintain their value for
customers.
Cyber threat
Cyber resilience
Insolvency risk
Total 25.6 168.2
(‰)
CYBER VAR
(‰)
• Creditworthiness is at risk in case the Cyber VaR materializes.
• Lost Intellectual Property may constitute a breach of export controls resulting in ﬁnes,
which have been included in the value impact.
• Impact of Control Integrity violation is based on a period of two weeks during which potential damages go unnoticed.
• Improvement of quality controls as well as reducing time to market for innovations would best mitigate these risks.
• Impact from Strategic Information is small because of limited MA activity.
Espionage
Advanced crime
Mass crime
Disturbance
8%
15%
Control integrity
76%
0%
0%
0%
0%
Liquidity integrity
THREAT OVERVIEW
27

BUSINESS PROFESSIONAL SERVICES
SECTOR IMPACT
3%
The Business Professional Services sector is mainly exposed by the risk of
losing their license to operate in the event that highly confidential information is
leaked on a large scale (personal as well as third parties). Loss of Operational
continuity is also impactful.
Cyber threat
Cyber resilience
Insolvency risk
Total 9.4 48.9
(‰)
CYBER VAR
(‰)
• The Business Professional Services sector contains business-oriented services such as
consulting as well as personnel-related services such as staffing agencies.
• Staffing agencies have more Privacy-related Information while business-oriented services more Third party information.
• All Business Professional Services share a similar and average level of exposure to the risk of business disruption.
• This sector has a high insolvency risk if the Cyber VaR is lost because of low amounts of equity relative to churn.
Espionage
Advanced crime
Mass crime
Disturbance
24%
1%
Control integrity
4%
0%
63%
8%
0%
Liquidity integrity
THREAT OVERVIEW
28

TRANSPORTATION
SECTOR IMPACT
2%
The greatest risk for the Transportation sector lies in interruption of business
operations due to cyber Disturbance or Mass Crime activity. Privacy-related
Information may also lead to signiﬁcant value loss given the sensitive informati-
on in travelling records.
Transportation
Cyber threat
Cyber resilience
Insolvency risk
Total 4.6 23.0
(‰)
CYBER VAR
(‰)
• Logistics are quite sensitive to value loss in case of delays, explaining relatively high impact from potential loss of
Operational Continuity.
• Low proﬁt margins in the Transportation sector cause cyber disruptions to quickly impact the solvency position.
• Like elsewhere, startups possessing their own Intellectual Property are gaining ground in The Netherlands, but do not
contribute to the Intellectual Property risk since their gross income is still small.
Espionage
Advanced crime
Mass crime
Disturbance
66%
3%
Control integrity
0%
0%
0%
31%
0%
Liquidity integrity
THREAT OVERVIEW
29

MEDIA
CYBER VAR € 0.3 BILLION (0.4%)
SECTOR IMPACT
0%
The Media sector is mainly exposed through its Control Integrity and Operational
Continuity related to the reliability of media contents. The remaining exposure
stems from the value drivers for the media contents and the high MA activity.
Media
Cyber threat
Cyber resilience
Insolvency risk
Total 1.4 11.4
(‰)
CYBER VAR
(‰)
• The amount of risk on the Media sector is relatively high, because the integrity and
availability of the contents of the media is essential to its value.
• The large number of MA deals increases its exposure on Strategic Information.
• Exposure also stems from Intellectual Property (media contents), Third Party Information (advertisers) and
Privacy-related Information (source protection).
Espionage
Advanced crime
Mass crime
Disturbance
22%
64%
Control integrity
6%
4%
2%
3%
0%
Liquidity integrity
THREAT OVERVIEW
30

UTILITIES
SECTOR IMPACT
2%
Core business for the Utilities sector is providing The Netherlands with basic
and vital needs. This makes this sector highly vulnerable for both Operational
Continuity and Control Integrity abuse.
Utilities
Cyber threat
Cyber resilience
Insolvency risk
Total 6.8 47.6
(‰)
CYBER VAR
(‰)
• Results represent foremost electricity provision, given that this has the largest part to gross income.
• Given the extent of physical controls on utilities through cyberspace, the expected impact from
abuse of Control Integrity is signiﬁcant.
• Privacy-related exposure is small due to the monopolistic nature of the associated markets.
• The solid ﬁnancial position of most utilities limits the risk for insolvency.
Espionage
Advanced crime
Mass crime
Disturbance
47%
40%
Control integrity
0%
1%
1%
11%
0%
Liquidity integrity
THREAT OVERVIEW
31

DEFENSE AEROSPACE
SECTOR IMPACT
4%
The Defense Aerospace sector suffers from the strategic interest from the
Espionage profile in their information assets. If a significant breach is disclosed,
it may easily lead to significant losses that could terminate such firms.
Defense Aerospace
Cyber threat
Cyber resilience
Insolvency risk
Total 20.7 165.6
(‰)
CYBER VAR
(‰)
• Intellectual Property, Control Integrity of sold products as well as the Strategic Information of these
organizations, are extremely valuable to nation states.
• In case such a breach would be disclosed, the value of the firm could quickly dwindle because only small
customers might still rely on its products.
• Cyber VaR is disproportionate to the size of the relatively small organizations in this sector in The Netherlands.
Apart from the Ministry of Defense, this would lead most organizations to insolvency.
Espionage
Advanced crime
Mass crime
Disturbance
0%
29%
Control integrity
16%
54%
1%
0%
0%
Liquidity integrity
THREAT OVERVIEW
32

This analysis of Cyber VaR for the Dutch economy
is based on the Cyber VaR concept that Deloitte
developed in collaboration with the World
Economic Forum. This chapter introduces the
model components, their workings and interre-
lations as well as the underlying assumptions.
Justification
To ensure quality and facilitate reproducibility,
the model builds on previous studies in the
field of cyber risk quantification and public data
as much as possible. The model uses a set of
logical relations to translate available data into
model parameters. The scarcity of suitable cyber
incident data is well known. Heuristic estimation
methods are used where needed to determi-
ne parameters when data or reports were not
available and have been demonstrated to be
surprisingly reliable [51].
The model draws from Deloitte’s insights from
handling cyber incidents for our clients as well
as experience gained in Deloitte’s Cyber Intelli-
gence Center. Furthermore, this report builds
on the expertise of Deloitte professionals in
areas ranging from cyber security, accounting to
legal and HR. We have also extensively involved
security experts at our clients, academia and
government to validate our assumptions and
methodology.
Dealing with uncertainty and Value at Risk
When dealing with risk, the expected impact
does not tell the full story. When a significant
event happens, the severity of the event for
the organization is a major factor in actual risk
assessments and decision making. The Cyber
VaR concept deals with exactly this combination
of expected, or average, impact and severity
in the ‘worst case’. More exactly, Cyber VaR
determines the impact that will annually not be
exceeded with a likelihood of about 95%. This
implies that once in 20 years, the Cyber VaR may
be exceeded with an unknown amount.
Inspired by its successful application in financial
risk management, we use the same approach of
(i) identifying the level of uncertainty around the
expected risk and (ii) the resulting impact this
uncertainty and ‘worst case’ impact have on an
organization’s value.
Due to imperfect data, this model is based on
estimates and assumptions. In the Cyber VaR
model these uncertainties are included by con-
sidering them as a contributor to risk in itself.
The meaning of this is simple: not knowing your
risk is a risk in and of itself.
THREAT PROFILES
1. Espionage
2. Advanced Crime
3. Mass Crime
4. Disturbance
CYBER SECURITY
1. Prevention from entry
2. Detection and response
3. Prevention of abuse
4. Recovery of losses
INFORMATION ASSETS
1. Operational Continuity
2. Control Integrity
3. Intellectual Property
4. Strategic Information
5. Third Party Information
6. Privacy-related Information
7. Liquidity Integrity
Methodology and approach
“There was a statistician that
drowned crossing a river...
It was 3 feet deep on average.”
– A random statistician joke
35

Model structure
In applying the Cyber VaR model, we have cre-
ated a list of organizations that together com-
prise a large share of the Dutch economy. We
collected publicly available data for each organi-
zation through their annual financial statements
(or equivalent), supplemented by other public
sources where needed. These organizations
each fall into one of the 14 sectors. Each sector
has a typical cyber security maturity profile and
a certain exposure to types of cyber attacks.
These attacks are performed by threat actors
that have a certain way of operating and specific
information assets they target. Each threat
actor belongs to one of four threat profiles that
characterizes their behavior.
Furthermore, we identify seven types of infor-
mation assets that may be targeted (listed in the
diagram above). Each threat profile targets the
information assets in different ways.
Interaction between the three components
“Threat profiles”, “Cyber security” and “Informati-
on assets” is described by a few statements:
• Each threat profile is attracted to information
assets according to the threat heat map (see
table).
• Threat profiles distribute themselves over
organizations proportional to the value the
information asset has to them (i.e. how at-
tracted they are to the value of an organizati-
on’s assets).
• The value to the threat actor in case of abuse
is assumed proportional to the value impact
per information asset.
• The Espionage profile is more strongly attrac-
ted to information assets of certain sectors,
indicating the perceived strategic value parti-
cular information assets may have to them.
• Threat profiles accumulate a certain level of
abuse until they are either satisfied or neu-
tralized by an organization’s cyber security
capabilities.
These interactions are described more in depth
in the subsequent sections.
Threat heat map
Each of the four threat profiles is attracted
differently to each type of information asset.
The Espionage profile for instance is primarily
attracted to Intellectual Property and Strategic
Information. However, the ability to abuse Con-
trol Integrity or make abuse of Privacy-related or
Third-party Information may also be of interest
to cyber spies.
Both Advanced Crime and Mass Crime profiles
are interested in cash from abusing Liquidity In-
tegrity. Advanced Crime abuses Strategic Infor-
mation to support insider trading. In addition to
cash, Mass Crime profiles are after Privacy-rela-
ted Information (mostly credit card data) as well
as Control Integrity for the purpose of extorting
an organization. As a by-product, Mass Crime
can significantly impair Operational Continuity
by overloading systems or infecting them with
malware.
Finally, the Disturbance profile primarily targets
Operational Continuity and to a lesser extent
Controls Integrity and Privacy-related Informa-
tion. This contributes to their primary goal of
disrupting operations within an organization.
Each threat profile is attracted to a small extent
to all the other information assets, reflecting the
somewhat unpredictable nature and motives
of actual threat agents. A low attractivity in the
diagram below constitutes a number 50 times
lower than a high attractivity.
Threat heat map Espionage Advanced Crime Mass Crime Disturbance
Operational Continuity L L M H
Control Integrity M L M M
Intellectual Property H L L L
Strategic Information H M L L
Third Party Information M L L L
Privacy-related Information M L M M
Liquidity Integrity L H H L
36

Threat profiles
Each threat profile has its own level of maturity
in operating (i.e. sophistication level) that deter-
mines an organizations effective level of defense
against that threat profile. Based on the obser-
ved and recently modelled divide between slow
and fast attacks [56], we assign either a high or
a low sophistication level to the threat profiles.
Espionage and Advanced Crime demand a slow
approach to remain undetected and thus need
a high level of sophistication. In contrast, attac-
kers within the Mass Crime and Disturbance
profiles generally have a low sophistication and
act fast to optimize their gain. Although typical
attacks can differ slightly from these assumpti-
ons, in general attacks can be attributed to one
of these profiles.
Given the sophistication level of an attacker and
its corresponding abuse rate (slow or fast), the
total threat activity per type of information asset
is calculated. The threat activity is then distri-
buted according to the relative value impact for
each information asset type. Simply put, this
value impact determines how many attacks of
a certain threat profile are carried out on the
seven information assets.
The value impact for each information asset is
determined per organization, based on business
considerations such as the average income per
sector, as well as taking into account historic
cases of claims and fines in case of abuse.
We make an exception for the Espionage threat
profile. Since this type of attacker is interested
in information assets that are of strategic value
to them, the attractivity of these assets may far
exceed the actual value an information asset
has to the targeted organization.
For instance, Strategic Information, Intellectual
Property and Control Integrity within the De-
fense Aerospace sector are highly attractive
to attackers that fit into the Espionage threat
profile.
Information assets
In order to determine the value impact an infor-
mation asset has on an organization in case of
abuse, a single question needs to be answered:
what would the financial impact be in the event
that the information asset would be exploited in
its entirety?
For this purpose, we distinguish two factors: va-
lue impact in the form of reduced profits (either
directly or in the future due to loss of sales) and
costs due to claims by third parties, individu-
als and fines imposed by domestic or foreign
regulators.
With the recent developments in privacy regula-
tions and export controls these claims and fines
can be substantial.
The direct value impact calculation differs per
information asset, but generally consists of com-
ponents based on yearly income, equity value
and/or cash liquidity. We consider these factors
in different quantities per organization depen-
ding on the sector or by using publicly available
information on an organization.
Cyber defense capabilities
Based on historic events and sector specifics,
the capabilities of an organization to prevent
abuse of information assets by a certain threat
profile is different. These defensive capabilities
are divided into four cyber defense capabilities
related to the attack-defense process: “pre-
vention from entry”, “detection and response”,
“prevention of abuse” and “recovery of losses”.
37

We then give each sector a baseline maturity
score for each of these capabilities out of the
five basic levels of maturity within cyber security.
The attack-defense process
About the actual process of a cyber attack, we
define a simple model that has three phases:
“non-criminal assessment”, “criminal assess-
ment” and “abuse”. These phases are shown in
the figure below.
The first (non-criminal assessment) state defines
all potential attackers whom have not breached
the entry barriers of an organization. These
attackers could breach the first layer of defense
(i.e. transitioning from non-criminal assessment
to criminal assessment), depending on their
level of sophistication.
Sophisticated attackers might by-pass protective
barriers by utilizing backdoors, zero-day exploits
or elaborate social engineering. Less sophisticated
attackers might rely on phishing efforts or insider
knowledge to gain access.
If an attacker transitions to the second phase
of the model (criminal assessment), there is a
second security function preventing abuse.
Typically the question is not whether an attacker
will transition to the third phase of the model
(abuse), but rather how long this will take. The
detection and response capability of an organi-
zation versus the sophistication and speed of an
attacker will determine this.
Less sophisticated attackers will require more
time to actually abuse an information asset,
leaving them vulnerable to detection.
After a certain amount of time (based on the
“prevention of abuse” capability) an attacker is
considered to be abusing the attacked informa-
tion asset. This continues until the goal of the
abuse has been reached or the abuse has been
detected and neutralized.
The moment an attacker reaches the third
phase of this model, losses are considered to
be accumulating, and can only be diminished
by the capabilities of an organization to recover
from losses.
Although this model has an organization as its
subject, the whole process equally applies to
third parties acting as caretakers (guardians) of
information for an organization. The third party’s
cybersecurity capabilities then become the
frontline in preventing attacks.
Final remarks
The described model gives an approach to
measuring both Cyber VaR for individual orga-
nizations as well as for complete industries or
economies. While it is based on known model-
ling techniques, the available data is of lesser
quality and less complete than typically available
for such models. We are convinced that despite
this fact, this model is useful to obtain insights.
In fact, the model can identify the level of risk
associated to having low data quality and thus
the value of having better data. As over time
more data will become available, the quality of
the outcomes will further improve.
We have created an approach that can serve
as a generic reference in relating the technicali-
ties of cyber risk to management, business and
economic implications. We intend to further
refine this model and its assumptions in the
near future.
We invite experts who wish to contribute to
reach out to us, be it through challenging our
approach, by providing data and validations or
by joining our team.
38

Capability Description
1. Prevention from entry The fraction of attackers who gain entry to an organization’s systems.
2. Detection and response The expected number of days after which an attacker is detected and
neutralized. No distinction is made between entry and abuse.
3. Prevention of abuse The expected number of days between the breach of security measures
and the actual abuse of an information asset.
4. Recovery of losses Capabilities to reduce damage incurred by the abuse of an information
asset (resilience).
1.
Prevention
from entry
Other
Insider
Backdoor
DDoS
3rd
party
2.
Breach detection
and response
3.
Prevention
of abuse
4.
Recovery
of losses
2.
Abuse detection
and response
NON-CRIMINAL
ASSESSMENT
CRIMINAL
ASSESSMENT
ABUSE
Accumilating
Losses
39

Contact
Marko van Zwam
Partner
Cyber Risk Services
+31 621272904
MvanZwam@deloitte.nl
Twan Kilkens
Managing Partner Clients Industries
Risk Services
+31 612344894
TKilkens@deloitte.nl
Maarten van Wieren
Senior Manager Cyber Risk Quantification
Cyber Risk Services
+31 682019225
MvanWieren@deloitte.nl
Dick Berlijn
Senior Board Advisor
Deloitte Executive Office
+31 620789556
DBerlijn@deloitte.nl
40

About the authors
Maarten van Wieren
Senior Manager Cyber Risk Quantification
Maarten is a specialist in modelling complex systems and leads the cyber risk quantification team. He
combines the latest insights in cyber risk with extensive experience in financial risk including his MSc
degree in Financial Risk Management and his PhD in Mathematical Physics (specializing in complex
systems). His other specialties include balance sheet optimization and economic models.
Esther van Luit
Senior Consultant Cyber Risk Services
Esther has a background in Economics and Management and specializes in the role cybersecurity plays
in society. She has ample experience in cybersecurity governance, researches the cybersecurity skill
gap and cyber risk quantification. She works on getting more women in security, improving security
education and was nominated for “Woman of the Year 2015” by the Cybersecurity Awards.
Raoul Estourgie
Consultant Cyber Risk Services
Raoul studied at the Kerckhoffs Institute for Computer Security and specialized in cryptography. During
his studies he did a minor in economics which created his interest for economic models. With his
recent career launch at Deloitte he decided to focus more on this specific combination with a study in
financial risk management.
Vivian Jacobs
Junior Manager Cyber Risk Services
Vivian has a Physics background and recently completed a PhD in Theoretical Physics at Utrecht Uni-
versity. She has an interest in mathematical modelling and its applications, and enjoys working in an
interdisciplinary setting and building bridges between topics. Vivian joined Deloitte’s Cyber Risk Quanti-
fication team early 2016.
Jeroen Bulters
Junior Manager Cyber Risk Services
Jeroen completed his Bachelor degree in Computer Science in 2007 after which he gained experience
as a software engineer and as Head of Development and Innovation. During this period he assisted
clients in the insurance, fintech, shipping and retail sector with online innovations. Jeroen loves solving
multi-disciplinary problems with a hands-on mentality.
Other Deloitte contributors
Dominika Rusek
Linda Peursum
Luuk Schrandt
Niek IJzinga
Richard Drewes
Roel van Rijsewijk
Ton Berendsen
Toon Segers
Yorick Breukers
41

1. 2020 Cybercrime Economic Costs: No
Measure No Solution. Armin, Thompson,
Ariu, Giacinto and Kijewski; 2015.
2. ENISA Threat Landscape 2015. ENISA; 2015.
Retrieved from: https://www.enisa.europa.
eu/activities/risk-management/evolving-thre-
at-environment/enisa-threat-landscape/
etl2015
3. Cyber Insurance: Covering the Basics. ISF; 2014.
4. The Economics of Information Security and
Privacy. Böhme (editor); 2013.
5. ICT Kennis en Economie 2015. Ministerie van
Economische Zaken, TNO and the Centraal
Bureau voor Statistiek; 2015. Retrieved from:
http://download.cbs.nl/pdf/ict-kennis-econo-
mie-2015-pub.pdf
6. Probability Analysis of Cyber Attack Paths
against Business and Commercial Systems.
Dudorov, Stupples and Newby; 2013. Retrie-
ved from: http://www.csis.pace.edu/~ctap-
pert/dps/2013EISIC/EISIC2013/5062a038.pdf
7. Damage Valuations of Trade Secrets: Eviden-
ce from the Economic Espionage Act of 1996.
Searle, 2009. Retrieved from: http://www.
epip.eu/conferences/epip04/files/SEARLE_Ni-
cola.pdf
8. The Global Information Technology Report
2015. World Economic Forum; 2015. Retrie-
ved from: http://www3.weforum.org/docs/
Forum_Global_IT_Report_2015.pdf
9. Cyber Insurance as One Element of the
Cyber Risk Management Strategy. Hurtaud,
Flamand, de la Vaissière Hounka; 2015.
Retrieved from: http://www2.deloitte.com/lu/
en/pages/risk/articles/cyber-insurance-ele-
ment-cyber-risk-management-strategy.html
10. Incentives and Barriers for the Cyber Insu-
rance Market in Europe. Moulinos; 2013.
Retrieved from: https://www.enisa.europa.
eu/activities/Resilience-and-CIIP/natio-
nal-cyber-security-strategies-ncsss/incenti-
ves-and-barriers-of-the-cyber-insurance-mar-
ket-in-europe
11. QA: Cyber Insurance Fundamentals for Se-
curity and Risk Professionals. Rose, McClean
Lisserman; 2012.
12. How to Structure the Decision-Making Pro-
cess for Cyberinsurance Policies. Weiss; 2014.
13. Copula-based Actuarial Model for Pricing
Cyber-Insurance Policies. Herath Herath;
2011. Retrieved from: http://www.business-
perspectives.org/journals_free/imc/2011/
IMC_2011_1_Herath.pdf
14. The Role of Insurance in Managing and
Mitigating the Risk. UK Government; 2015.
Retrieved from: https://www.gov.uk/govern-
ment/uploads/system/uploads/attachment_
data/file/415354/UK_Cyber_Security_Report_
Final.pdf
15. The Growth of the Global Mobile Internet
Economy. Bock, Field, Zwillenberg and Ro-
gers; 2015.
16. The Mobile Revolution: How Mobile Techno-
logies Drive a Trillion-Dollar Impact. Bezerra,
Bock, Candelon, Chai, Choi, Corwin, Digrande,
Gulshan, Michael, Varas; 2015.
17. Hackers Inc. Economist; 2014. Retrieved
from: http://www.economist.com/news/
special-report/21606421-cyber-attackers-ha-
ve-multiplied-and-become-far-more-professi-
onal-hackers-inc
18. Microsoft Security Intelligence Report. Mi-
crosoft; 2015. Retrieved from: https://www.
microsoft.com/security/sir/default.aspx
19. 2015 Trustwave Global Security Report.
Trustwave; 2015. Retrieved from: https://
www2.trustwave.com/rs/815-RFM-693/ima-
ges/2015_TrustwaveGlobalSecurityReport.
pdf
20. 2015 Dell Security Annual Threat Report.
Dell; 2015. Retrieved from: https://software.
dell.com/docs/2015-dell-security-annu-
al-threat-report-white-paper-15657.pdf
21. Akamai’s State of the Internet Q3 2015.
Akamai; 2015. Retrieved from: https://www.
akamai.com/us/en/multimedia/documents/
report/q3-2015-soti-connectivity-final.pdf
22. A Guide to Cyber Risk: Managing the Impact
of Increasing Connectivity. Allianz; 2015.
Retrieved from: http://www.agcs.allianz.com/
assets/PDFs/risk%20bulletins/CyberRiskGui-
de.pdf
23.Cyber Risk Analytics. AON; 2014.
24. The Cost of Cyber Crime. Detica Cabinet
Office; 2011. Retrieved from: https://www.
gov.uk/government/uploads/system/up-
loads/attachment_data/file/60943/the-cost-
of-cyber-crime-full-report.pdf
25. The Best of the 2014 Information Security
Threat Reports. @k3strel; 2014.
26.2013 Norton Report. Norton; 2013. Retrieved
from: http://www.yle.fi/tvuutiset/uutiset/
upics/liitetiedostot/norton_raportti.pdf
27. Cyber Theft of Corporate Intellectual Proper-
ty: The Nature of Threat. The Economist
Booz Allen Hamilton; 2012. Retrieved from:
Selection of literature
42

http://www.boozallen.com/content/dam/
boozallen/media/file/Cyber-Espionage-Bro-
chure.pdf
28. Is a Cyber Breach Inevitable? Cyber Security
Challenges in the Netherlands. CGI; 2015.
Retrieved from: http://automatie-pma.com/
wp-content/uploads/2015/05/CGI-Cyber-Se-
curity-White-Paper-Final.pdf
29. The Rise of the Hacker. The Economist;
November 7th, 2015. Retrieved from:
http://www.economist.com/news/busines-
s/21677638-rise-hacker
30. 2015 Data Breach Investigations Report. Veri-
zon; 2015. Retrieved from: https://msisac.
cisecurity.org/whitepaper/documents/1.pdf
31. Cyber V@R: a Cyber Security Model for Value
at Risk. Raugas, Ulrich, Faux, Finkelstein and
Cabot; 2013. Retrieved from: https://www.
cyberpointllc.com/docs/CyberVaR.pdf
32. Threat Intelligence Report 2012-2013 H1.
Group IB; 2013. Retrieved from: http://re-
port2013.group-ib.com/
33. The New Cybercriminals HPP – Hackers
Profiling Project. UNICRI; 2012. Retrieved
from: http://www.secure.edu.pl/pdf/2012/
D1_1545_A_Bosco.pdf
34. Assessing Cyber Security: a Meta-Analysis
of Threats, Trends, and Responses to Cyber
Attacks. Gehem, Usanov, Frinking Radema-
ker; 2015. Retrieved from: http://www.hcss.
nl/news/assessing-cyber-security/1292/
35. The Economics of Defense. Juniper Net-
works; 2015. Retrieved from: https://
www.juniper.net/us/en/local/pdf/execu-
tive-briefs/3000091-en.pdf
36. Cyber Security Consulting. Hichman; 2013.
37. The Economic Impact of Cybercrime and
Cyber Espionage. CSIS; 2013. Retrieved from:
http://www.mcafee.com/us/resources/re-
ports/rp-economic-impact-cybercrime.pdf
38. 2015 Cost of Data Breach Study: Global Ana-
lysis. Ponemon Institute LLC; 2015. Retrieved
from: https://nhlearningsolutions.com/Por-
tals/0/Documents/2015-Cost-of-Data-Bre-
ach-Study.PDF
39. Global State of Information Security Survey.
HM Government; 2015. Retrieved from:
http://www.pwc.com/gx/en/issues/cyber-se-
curity/information-security-survey.html
40. Internet Security Threat Report. Symantec;
2015.
41. Cyber security: Everybody’s imperative. De-
loitte Canada; 2014. Retrieved from: https://
www2.deloitte.com/content/dam/Deloitte/ca/
Documents/risk/ca-en-cyber-security-every-
bodys-imperative.PDF
42. The Cost of Immaturity: the Business of
Protecting Against Computer-hacking is
Booming. The Economist; November 7th,
2015. Retrieved from: http://www.econo-
mist.com/news/business/21677639-busi-
ness-protecting-against-computer-hac-
king-booming-cost-immaturity
43.Cyber Warfare: Building the Scientific Foun-
dation. Jajodia, Shakarian, Subrahmanian,
Swarup Wang (Editors). Advances in Infor-
mation Security 56, Springer; 2015.
44. Hackonomics: Cybercrime’s cost to the busi-
ness. Blue; 2014. http://www.zdnet.com/article/
hackonomics-cybercrimes-cost-to-business/
45. VCDB Explorer. Veris; 2015. Retrieved from:
http://vcdb.org/explore.html
46. Data Breach Reports. ITRC; 2015. Retrieved
from: http://www.idtheftcenter.org/images/
breach/DataBreachReports_2015.pdf
47. Markets for Cybercrime Tools and Stolen
Data. Ablon, Libicki Golay; 2014. Retrieved
from: http://www.rand.org/content/dam/
rand/pubs/research_reports/RR600/RR610/
RAND_RR610.pdf
48. Cyber Security Assessment Netherlands
2015. NCSC, 2015. Retrieved from: https://
www.ncsc.nl/english/current-topics/Cyber+-
Security+Assessment+Netherlands
49.Net Losses: Estimating the Global Cost of Cy-
bercrime. CSIS; 2014. Retrieved from: http://
www.mcafee.com/us/resources/reports/
rp-economic-impact-cybercrime2.pdf
50. The Hacked World Order. Segal; 2016.
51. Superforecasting: The Art and Science of
Prediction. Tetlock Gardner; 2015.
52. Risk Savvy: How to Make Good Decisions.
Gigerenzer; 2015.
53. M-Trends 2015: A View from the Front Lines.
Mandiant; 2015. Retrieved from: https://
www2.fireeye.com/rs/fireye/images/rpt-m-
trends-2015.pdf
54. Global Cybersecurity Index. ITU; 2015. Retrie-
ved from: https://www.itu.int/dms_pub/itu-d/
opb/str/D-STR-SECU-2015-PDF-E.pdf
55. Top Countries Best Prepared Against
Cyberattacks. Santiago; July 22, 2015.
Retrieved from: https://www.weforum.org/
agenda/2015/07/top-countries-best-prepa-
red-against-cyberattacks/
56. M. van Wieren et al., Understanding Bifurca-
tion Between Slow versus Fast Cyber Attackers,
submitted (2016)

This report is not part of an assurance engagement. As a consequence, no assurance will be provided with regards to the accuracy of the information.
It will be the responsibility of the readers of our report to assess whether the report, in the context of the totality of information available to them and their risk perception, meets the requirements to be determined by them. The reader is responsi-
ble for the drawing of conclusions from the report and actions taken as a consequence of these conclusions. Our report will be provided solely for the reader’s informational purposes and internal use, and is not intended to be reproduced without
the written permission of Deloitte. We have, amongst others, based our research on public economic figures of which the validation has not explicitly been verified by Deloitte. During the transfer of these figures from the public domain to the
context of the model, errors might have occurred that could have escaped our attention. Despite the fact that this is a quantitative report, the parameters in the model have been determined based on a sample of organizations in The Netherlands.
If a different sample were to be used, it is conceivable that these parameters would have been estimated differently. This project has been completed in a limited time frame. If there would have been more time available, we might have come to
different results or other recommendations.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and indepen-
dent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk
management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality
service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 220,000 professionals are committed to making an impact that matters. This communication contains general information
only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall
be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2016 Deloitte The Netherlands

deloitte-nl-risk-cyber-value-at-Risk-in-the-Netherlands

More Related Content

What's hot

Viewers also liked

Similar to deloitte-nl-risk-cyber-value-at-Risk-in-the-Netherlands

deloitte-nl-risk-cyber-value-at-Risk-in-the-Netherlands